Re: [ANN] Lua 5.2.1 (work1) now available

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: [ANN] Lua 5.2.1 (work1) now available
From: Roberto Ierusalimschy <roberto@...>
Date: Thu, 22 Mar 2012 19:34:44 -0300

> IIRC, the original attack seemed to require a huge volume of
> transactions to achieve its effect, with the result that (1) your web
> server/infrastructure may already be hosed by such an attack,
> regardless of your hashing scheme, and (2) it's easy to defend against
> the hash attack simply by having reasonable limits at the application
> level.
> 
> If those things are true, then a solution at the language level seems
> wrong if it results in _any_ penalty for normal applications -- and
> this is especially true for Lua, where the vast majority of
> applications have nothing to do with the web or "untrusted data".

That is a reasonable argument. In this working version, the only
clear penalty is the use of all bytes for hashing long strings.
Mabye that could be configurable (with the default being the old
method).

-- Roberto

References:
- [ANN] Lua 5.2.1 (work1) now available, Luiz Henrique de Figueiredo
- Re: [ANN] Lua 5.2.1 (work1) now available, liam mail
- Re: [ANN] Lua 5.2.1 (work1) now available, liam mail
- Re: [ANN] Lua 5.2.1 (work1) now available, Roberto Ierusalimschy
- Re: [ANN] Lua 5.2.1 (work1) now available, Miles Bader
- Re: [ANN] Lua 5.2.1 (work1) now available, Roberto Ierusalimschy
- Re: [ANN] Lua 5.2.1 (work1) now available, David Kolf
- Re: [ANN] Lua 5.2.1 (work1) now available, Roberto Ierusalimschy
- Re: [ANN] Lua 5.2.1 (work1) now available, Miles Bader

Prev by Date: Re: [ANN] Lua 5.2.1 (work1) now available
Next by Date: Re: [ANN] Lua 5.2.1 (work1) now available
Previous by thread: Re: [ANN] Lua 5.2.1 (work1) now available
Next by thread: Re: [ANN] Lua 5.2.1 (work1) now available
Index(es):
- Date
- Thread